CVE-2025-48757

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.lovable.dev/changelog
https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
https://mattpalmer.io/posts/CVE-2025-48757/
https://mattpalmer.io/posts/statement-on-CVE-2025-48757/
https://x.com/danialasaria/status/1911862269996118272
https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9

Configurations

No configuration.

History

21 Aug 2025, 03:15

Type	Values Removed	Values Added
Summary	~~(en) An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites.~~	(en) An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.

25 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 03:15

Updated : 2025-08-21 03:15

NVD link : CVE-2025-48757

Mitre link : CVE-2025-48757

CVE.ORG link : CVE-2025-48757

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

9.3 /10